TriZetto Provider Solutions
Analysis of the TriZetto Provider Solutions data breach affecting over 3.4 million patients. An 11-month unauthorised access to healthcare claims processing systems exposed SSNs and health data.
Published by the Scrutex.ai Research Team | March 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
TriZetto Provider Solutions
Missouri-based subsidiary of Cognizant providing revenue management and claims processing services to healthcare providers across the United States.
Sector
Healthcare IT / Revenue Management
Region
United States
Date of Incident
November 2024 to October 2, 2025 (approximately 11-month dwell time)
Date Disclosed
Late 2025 (notifications began); March 2026 (breach portal listing)
Estimated Impact
Over 3.4 million individuals (and growing)
Data Types Exposed
Names, addresses, dates of birth, Social Security numbers, health insurance member numbers, Medicare beneficiary identifiers, demographic and health-related information
Attack Type
Unauthorised Access
Attack Vector
Unauthorised access to web portal processing eligibility verification transactions
Threat Actor
Not publicly attributed
Current Status
3,433,965 individuals confirmed affected. Multiple class-action lawsuits filed against Cognizant. Number may increase.
Severity Assessment
Critical. Over 3.4 million patients affected through 11-month unauthorised access to healthcare claims processing systems. SSN and protected health information exposed.
What Happened
TriZetto Provider Solutions, a Missouri-based subsidiary of Cognizant that provides revenue management and claims processing services to healthcare providers, disclosed a data breach affecting multiple healthcare clients and their patients.
According to reporting by BleepingComputer and the HIPAA Journal, TriZetto identified suspicious activity on one of its web portals on October 2, 2025. A forensic investigation, conducted with the assistance of Mandiant, determined that unauthorised access had begun as early as November 2024, meaning the threat actor had access to TriZetto's systems for approximately 11 months before detection.
The compromised data reportedly includes names, addresses, dates of birth, Social Security numbers, health insurance member numbers, Medicare beneficiary identifiers, and other demographic and health-related information tied to insurance eligibility verification transactions. TriZetto has stated that financial account numbers such as bank or credit card details were not part of this breach.
A filing with the Maine Attorney General confirmed the number of affected individuals at 3,433,965 as of early March 2026. TriZetto has noted that this number may increase as the data review continues.
Multiple healthcare providers have issued their own breach notifications as a result, including San Francisco Community Health Center and MercyOne. Several class-action lawsuits have been filed against Cognizant, alleging delayed notification and insufficient cybersecurity measures.
No ransomware group has publicly claimed responsibility, and there are no confirmed reports of the data appearing on dark web forums at the time of writing.
Timeline
November 2024
Unauthorised access to TriZetto web portal begins
October 2, 2025
Suspicious activity detected on web portal; forensic investigation initiated with Mandiant
Late 2025
Individual notifications begin for affected patients
Early March 2026
Filing with Maine Attorney General confirms 3,433,965 individuals affected
March 2026
Multiple class-action lawsuits filed against Cognizant
Impact and Risk Assessment
For Affected Individuals
Over 3.4 million patients had their SSNs, health insurance details, and Medicare beneficiary identifiers exposed, creating long-term identity theft and medical fraud risk.
Many affected individuals had no direct relationship with TriZetto and may not understand how their data came to be compromised through a downstream processor.
The 11-month dwell time means threat actors had extended access to ongoing eligibility verification transactions.
For Organisations
Multiple healthcare providers including San Francisco Community Health Center and MercyOne have had to issue their own breach notifications.
Cognizant faces multiple class-action lawsuits alleging delayed notification and insufficient cybersecurity measures.
Healthcare providers that relied on TriZetto must now assess their own HIPAA compliance obligations in light of their business associate's breach.
Regulatory Context
HIPAA breach notification requirements apply. Under HIPAA, covered entities remain responsible for ensuring their business associates protect patient data.
The extended dwell time and notification timeline may draw scrutiny from HHS Office for Civil Rights regarding timely breach reporting obligations.
What Should You Do?
If You Are a Potentially Affected Individual
If you have received healthcare services from a provider that uses TriZetto for claims processing, monitor your credit reports and explanation of benefits statements for signs of identity misuse or medical fraud.
Consider placing a fraud alert with major credit bureaus if you receive a notification letter from TriZetto or an affected healthcare provider.
If You Are a Security or Risk Professional
Review your vendor risk management programme and verify that agreements with business associates include meaningful security requirements and timely breach notification clauses.
Ensure that downstream processors handling eligibility verification data have detection and response capabilities that go beyond annual audits.
If you are a healthcare provider or business associate handling protected health information, this is a good time to confirm that your vendors have continuous monitoring in place.
Learnings and Recommendations
An 11-month dwell time is a significant concern, but it is unfortunately not unusual in the healthcare sector. Web portals that handle sensitive data, especially those used by third-party vendors and business associates, need continuous monitoring and anomaly detection. Periodic access reviews are not enough when a portal is processing millions of eligibility transactions.
This breach also reinforces the challenge of third-party risk in healthcare. Many of the individuals affected had no direct relationship with TriZetto. They were patients of healthcare providers that used TriZetto as a downstream processor. Under HIPAA, the covered entity remains responsible for ensuring its business associates protect patient data, but in practice, visibility into a vendor's security posture is often limited.
If you are a healthcare provider or a business associate handling protected health information, this is a good time to review your vendor risk management programme, verify that your agreements include meaningful security requirements, and confirm that your vendors have detection and response capabilities that go beyond annual audits.
Sources
- BleepingComputer - Cognizant TriZetto breach exposes health data of 3.4 million
- HIPAA Journal - Trizetto Data Breach
- eSecurity Planet - TriZetto Data Breach Triggers Class-Action Lawsuits
- San Francisco Community Health Center - TriZetto Data Security Incident
- MercyOne - TriZetto Provider Solutions Security Incident
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.